CVE-2026-47325
Deferred Deferred - Pending Action
Predictable Password Generation in ProjectsAndPrograms School-Management-System

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: CERT.PL

Description
ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first login. This behavior allows attackers to easily guess or derive valid credentials, leading to unauthorized account access. The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-47325
EUVD
EUVD-2026-34094
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectsandprograms school-management-system From 6b6fae5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1391 The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47325 is a vulnerability in the ProjectsAndPrograms school-management-system where passwords for students and teachers are generated solely from the user's date of birth (for example, 12072000 for July 12, 2000). The system does not require or prompt users to change these default passwords upon first login.

Because the passwords are predictable and not changed, attackers can easily guess or derive valid credentials, which leads to unauthorized access to user accounts.

Impact Analysis

This vulnerability can lead to unauthorized access to student and teacher accounts within the school-management-system.

Attackers can exploit the predictable password scheme to compromise accounts, potentially gaining access to sensitive personal information and school-related data.

Detection Guidance

This vulnerability can be detected by checking if user passwords are generated solely from their date of birth and if the system does not require password changes upon first login.

To detect this on your system, you can attempt to authenticate using passwords derived from known or guessed dates of birth for student or teacher accounts.

There are no specific commands provided in the available resources to detect this vulnerability automatically.

Mitigation Strategies

Immediate mitigation steps include enforcing a password change upon first login to prevent continued use of predictable passwords.

Additionally, avoid using predictable credentials such as dates of birth for password generation.

Implement stronger password policies requiring complex and unique passwords for all users.

Compliance Impact

The vulnerability involves the use of predictable credentials based solely on users' dates of birth without requiring password changes upon first login. This weakness allows attackers to easily guess or derive valid credentials, leading to unauthorized account access.

Such unauthorized access to user accounts, especially in a school-management system handling personal data, could lead to violations of data protection regulations like GDPR or HIPAA by compromising the confidentiality and security of personal information.

However, the provided information does not explicitly discuss the impact on compliance with these standards or any regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart